With Apple’s recent announcement that the iPhone 5S will feature Touch ID I thought it apt to explore the subject of biometrics as it related to information security and provide some clarity on some of the jargon you might hear used around this topic.
For anyone responsible for information security within an organisation access control is often the biggest headache. In formal, ISO standard terms, access control is the ability to permit or deny the use of an object (a passive entity, i.e: a system or file) by a subject (an active entity, i.e: a person or process). Traditionally passwords and personal IDs or passes have been used as security measures to prevent either access or use of premises or data by unauthorised personnel. We’ve all seen the news items however about how frequently these security measures are breached, which is perhaps where biometrics fit in.
Biometrics is based on the third factor of authentication – something you are. Rather than the other two factors – something you know (your PIN) or something you have (a credit card).
Examples of biometric identification come in the form of fingerprints, voice recognition or iris patterns. Obviously Apple’s Touch ID is a form of fingerprint identification in the new iPhone 5S. Fingerprint biometric systems are the most common biometric systems in place today. It appears the system Apple are using is a finger print scan system, which only stores sample points of the users fingerprint. This is the right move from a security perspective as no one can re-create the fingerprint in its entirety.
Accuracy is critical to any biometric system, another important factor is the system’s ability to detect or reject forged or counterfeit input data. False Reject Rate (FRR) or type 1 error, False Acceptance Rate (FAR) or Type 2 error are common terms when dealing with the accuracy of a system. FRR is the % of authorised users to whom the system incorrectly denies access while FAR is the % of authorised users to whom the system incorrectly grants access. Crossover Error Rate (CER) is the point which FRR is equal to FAR.
We should not be seeing any type 2 errors on the new iPhone as this would make Touch ID flawed. I applaud Apple for giving users the option to do away with a basic PIN or password. The password alone is coming to the end of its natural useful lifecycle. Time will tell if fingerprint authentication in mobile devices becomes more common place but with many people storing vast amounts of personal data on their mobile devices it would seem like a sensible information security move.